System and method for remote forensic access

ABSTRACT

A system for providing remote access to a storage device ( 38 ) comprises a network ( 34 ), a workstation ( 10 ) and a remote device ( 32 ). The workstation ( 10 ) comprises a write protected device interface (in the drive unit) for receiving the storage device ( 38 ), a processor (the POD server) connected to the device interface and arranged to execute one or more services on the storage device ( 38 ) and a gateway device (the PAD) arranged to create and to manage secure private connections to and from the processor over the network. The remote device ( 32 ) comprises a network interface for connecting to the network, and a processor connected to the network interface and arranged to transmit instructions to control the execution of one or more services of the workstation ( 10 ) on the storage device ( 38 ). The system can also include a management server (FIMS) which comprises a network interface for connecting to the network, and a processor connected to the network interface and arranged to transmit to the remote device ( 32 ) access information to facilitate a network connection between the network interface of the remote device and the gateway device of the workstation.

This invention relates to a system and method for providing remoteaccess to a target device. The invention provides a method and technicalarchitecture for controlling, managing and enabling secure forensicexaminations and/or the recovery of data from remote storage media via anetwork, without installing anything on the examination target systems.

Digital forensic examinations are performed in order to obtain evidencerelated to criminal offences or abuse of corporate or home basedcomputing (IT) systems. There are a number of globally acceptedprinciples which apply to performing digital forensic examinations.Foremost of these are the need to prevent changes to the data beingexamined and to maintain a record of actions taken during theexamination. In many circumstances, the speed of forensic response isalso critical.

Performing digital forensic analysis requires specialist software andhardware as well as skilled and trained staff. In circumstances where askilled forensic analyst is able to gain physical access to the computercontaining the media to be examined, it is common practice to remove themedia to be examined and connect it to a forensic imaging device via aninterface that is designed specifically to prevent changes being made tothe device being examined. This type of device is commonly referred toas a “write blocker” and its purpose is to maintain the integrity of thedata being examined by preventing any changes being made to it duringthe forensic imaging or analysis process.

However, it is often the case that the digital media requiringexamination is physically located a great distance from such specialistskills and equipment. This can result in a delay responding to theincident while the skilled staff travel to the site of the incident withthe appropriate hardware and software and there are additional costsassociated with such travel. Additionally, the number of skilledforensic staff available is often limited, making reacting to multiplelocations within a reasonable time scale impractical and costly.

There are a number of existing alternatives that do not rely on theforensic analyst physically travelling to the location of the computerrequiring examination with the appropriate software and hardware.

One solution is to pre-install specialist remote access, and/or analysissoftware, on every computer likely to be the subject of forensicexamination, before the event and to ensure that this specialistsoftware is loaded every time the computer is started. Subsequently,when forensic examination is required, a remote forensic analyst withappropriate network authority and credentials is able to connect to thecomputer requiring examination, via a network using the specialistremote access and or analysis software.

Another solution is to deliver specialist remote access and or analysissoftware to the computer requiring examination on demand and once itbecomes known that a device requires examination. Such software may bedelivered via a network, or installed via personal intervention bysomeone local to the computer. This method requires that the specialistsoftware occupies space in either the volatile memory of the computer oron the storage media which is possibly the subject of the examination.Subsequent to its installation, the software enables the remote forensicanalyst to access the computer from a remote location via a network.

Yet another solution involves the removal of the storage media, by localresources, from the computer in which it is installed and shipping thatmedia to the location of the forensic analyst. Once in the physicalpossession of the forensic analyst, normal forensic techniques andmethods can be deployed.

There are several drawbacks to all of the current known solutions. Forexample, the solution which involves shipping the media to be examinedto the remote forensics analyst incurs delays in transportation time andpossible loss or damage in the transit system. Further, it may not bepossible to maintain the evidential continuity generally required forlegal proceeding unless the device is hand carried from point to point.Evidential continuity is the process by which access to items ofevidential value is carefully logged and auditable. Further, it mayrequire that every person coming into contact with the evidential devicemay be required to produce a witness statement to that effect. Clearly,if the device has been transported by an international courier usingnormal means, it may not be possible to obtain such continuityassurances from all the people that may have come into contact with it.

The other known solutions that rely on special remote access and oranalysis software being installed on the computer that is the subject ofthe examination all suffer drawbacks. In the solution where the specialaccess and or analysis software is pre-installed, then this solutiononly works if the computer to be examined has previously had the specialremote access and or analysis software installed. The organisationinstalling such a solution must perform careful planning and testing toensure that the specialist remote access software does not interferewith the normal operation of the computer on which it is installed. Inlarge organisations, such testing and evaluation often takesconsiderable time before the solution can be deployed. Such a solutionalso further requires a comprehensive change control system to be inplace within the organisation to ensure that any updates to thespecialist remote access and or analysis software are made available ina timely and appropriate manner. Finally, as every computer that has thesolution installed on it is effectively allowing itself to be remotelyaccessed via the network at any time, this solution leaves everycomputer on which it is installed vulnerable to abuse if access to thecontrolling analysis systems is compromised.

In the solution where the special access software is installed ondemand, then in order for the software to operate, the software must beloaded into the volatile memory of the computer. If the computer isrunning at the time the software is delivered, the software will changethe contents of the volatile memory of the computer on which it is runwhich is contrary to the generally accepted principle that the processof forensic examination should not change the data being examined.Another problem is that if the computer is running at the time thesoftware is delivered and if the software is delivered to the computerbeing examined via a removable storage device such as a DVD, CD or USBstorage device the act of connecting such a device to the computerrequiring examination is likely to result in a change to the contents ofthe system hard disk which is contrary to the generally acceptedprinciple that the process of forensic examination should not change thedata being examined.

In both solutions where the special access and or analysis software isinstalled on the target computer, then the solutions do not work if thetarget computer is not connected to a network. Computers that do nothave network connections cannot be accessed using these solutions. Inaddition, the forensic analyst must either use tools and utilitiesinstalled on their remote computer or install such tools onto the harddisk being examined or into the memory of the target computer. Boththese choices are contrary to the generally accepted principle that theprocess of forensic examination should not change the data beingexamined. Likewise, if a forensic image of the media in the targetcomputer is required, the data from the media must be transferred over anetwork to a storage device under the control of the forensic analyst.Whilst this is possible it may greatly increase the volume of traffic onthe network to which the target computer is attached resulting inpossible degradation of network performance to other users of thenetwork. Computers that are non functional cannot be examined usingthese methods as they are unable to run the special remote accesssoftware or sustain a network connection.

It is therefore an object of the invention to improve upon the knownart.

According to a first aspect of the present invention, there is provideda system for providing remote access to a storage device comprising anetwork, a workstation comprising a write protected device interface forreceiving the storage device, a processor connected to the deviceinterface and arranged to execute one or more services on the storagedevice and a gateway device connected to the processor and arranged tocreate and to manage secure private connections to and from theprocessor over the network, and a remote device comprising a networkinterface for connecting to the network, and a processor connected tothe network interface and arranged to transmit instructions to controlthe execution of one or more services of the workstation on the storagedevice.

According to a second aspect of the present invention, there is provideda method of operating a system for providing remote access to a storagedevice comprising receiving the storage device at a write protecteddevice interface of a workstation, establishing a secure and privateconnection, over a network, between a network interface of a remotedevice and a gateway device of the workstation, transmittinginstructions from the remote device to the workstation to control theexecution of one or more services of the workstation on the storagedevice, and executing one or more services on the storage device at theworkstation according to the transmitted instructions.

According to a third aspect of the present invention, there is provideda workstation comprising a write protected device interface forreceiving a storage device, a processor connected to the deviceinterface and arranged to execute one or more services on the storagedevice and a gateway device connected to the processor and arranged tocreate and to manage secure private connections to and from theprocessor over a network.

Owing to the invention, it is possible to provide a system, comprisinghardware and software, that enables a forensic analyst to performforensic imaging, analysis and or data recovery on digital or othermedia located remotely from the forensic analyst, using secure remoteaccess to, and control of, dedicated forensic or data recovery equipmentvia any network or Internet connection but without the need for the databeing processed to be transferred over the network or for anything to beinstalled on the computer under investigation or for the computer underinvestigation to be connected to a network and while maintaining anauditable trail of actions, in order to provide evidential continuity.

The invention comprises a system whereby the services can be performedon an item of storage media by removing it from a target computer andplacing it in a workstation to which a specifically authenticated useris granted remote access via a secured network connection, managed by agateway device in the workstation, created specifically for the purposeof performing the services on the storage media located in the specificdevice.

The invention provides a technical environment in which the services canbe performed on storage media removed from a target computer, in onelocation, by a user located in a different location, over a securenetwork connection which is specifically and dynamically created for thepurpose and without the need to install any software or create anynetwork connection between the remote user and the target computer.

The invention includes a method of allowing an authorised person toaccess a software application for the purpose of recording details aboutthe services to be performed. The method includes recording the type ofservices to be performed, selecting the person or organisation who isrequired to perform the services, identifying the target computercontaining the storage media on which the services are to be performed,identifying the specialist equipment to which the storage mediarequiring the services is to be attached and identifying the person whowill be instructed to remove the storage media from the target computerand placing it into the specialist equipment.

The invention includes a method of recording the actions taken by theusers of the system for the purpose of maintaining a contemporaneous logof actions to show the sequence of events that led to the services beingperformed. The invention includes a method of generating a uniquedigital authority and for distributing this authority to the nominatedremote user for the purpose of granting the remote user access to theremote device containing the storage media.

The invention describes a method and technical architecture by which aperson with appropriate access rights and authority is given secureremote access, from an Internet or network connected computer locatedanywhere, to a workstation, which is referred to in this application asa POD, located anywhere, which is configured with appropriate hardwareand software to enable the services to be performed on storage mediaattached to it for the purpose of performing the services.

Embodiments of the present invention will now be described, by way ofexample only, with reference to the accompanying drawings, in which:—

FIG. 1 is a schematic diagram of a workstation,

FIG. 2 is a schematic diagram of a management server,

FIG. 3 is a schematic diagram of a system for providing remote access toa target device, and

FIG. 4 is a flow diagram of a method of operating the system of FIG. 3.

In this specification a variety of technical terms are used, and theseare defined in the following paragraphs.

The term “services” refers to, but is not restricted to, performing thefollowing tasks:

-   -   Digital Forensics: is the term given to the process of examining        digital storage media for the purpose of identifying and        analysing data. Commonly, digital forensic examination of        storage media may be required when investigating computer        systems and or networks that have, for example, been associated        with criminal activity or have been the target of abuse or        misuse.    -   Forensic Imaging: is the process of creating a trusted copy of        an item of digital storage media in such a manner that the        imaging process is non-invasive to the original media and the        process and resultant data can be verified as being an accurate        representation of the original media. Following the process of        forensic imaging, the resultant data is known as a forensic        image.    -   Forensic Analysis: is the process of examining the contents of        data stored on digital media using specialist software in a way        that allows conclusions to be drawn about the data.    -   Data Recovery: is the process of identifying and making        available data that has become inaccessible to the usual owner        or user of the data. Commonly, data recovery is required after        accidental or deliberate deletion of data or following a        physical or logical failure of the storage media on which the        data is stored.

An investigation is the term used to describe the performance of any ofthe services on a single piece of digital media. A case is the term usedto describe one or more investigations. Specialist software is anysoftware that the user may use to perform digital forensic imaging,forensic analysis or data recovery. For the purpose of this document,the term specialist software may also refer to remote access software.

A network is the term used to describe a collection of two or moredevices connected using a communications protocol. The Internet is theterm used to describe a publicly accessible global network of networksproviding access to multiple networked resources. An Intranet is theterm used to describe a private network of networks which providesaccess to selected networked resources. A VPN (Virtual Private Network)is a private data network that makes use of a network infrastructure,maintaining security and privacy through the use of a various protocolsand security procedures.

A target computer (or target device) is any device which contains mediathat has been identified as requiring the services. For the purpose ofthis application, the term target computer includes any device that hasdigital storage attached to it and is not restricted to being a PC orother such computing device. Storage media is any device on which datais stored. For the purpose of this document, the term storage media mayrefer to, but not be limited to, hard disks, floppy disks, CDs and DVDs,USB removable storage devices and other solid state storage devices.

A Digital Certificate is a collection of data that establishes thecredentials of an entity when engaging in digital transactions. It isissued by a certification authority (CA). It may contain or be comprisedof a name, a serial number, expiration dates, a copy of the certificateholder's public key (used for encrypting messages and digitalsignatures), and the digital signature of the certificate-issuingauthority so that a recipient can verify that the certificate isgenuine.

FIG. 1 illustrates a workstation 10, which can be considered as a remote“POD”. This workstation 10 is a combination of hardware and softwarewhich together replicate the functionality of a conventional forensicworkstation and write blockers used by a forensic analyst whenphysically accessing target media.

In order to access the POD 10, the device 10 requires a networkconnection. In one case the POD 10 can be connected to the Internet andin another case it can be connected to an Intranet. In neither case isit a requirement for the POD 10 to be connected to the network on whichthe target machine to be examined is attached. Indeed, it is a specificadvantage of the system that there does not need to be permanent networkaccess to all (or even one) of the devices that may require examination,in order to gain access to a particular device when that device requiresexamination.

Specifically, each POD 10 comprises the following principal components:

-   -   One or more drive units 12. The drive unit 12 includes a write        protected device interface 14 configured to receive a storage        media to be examined, from a target device. The drive unit 12 is        optionally configured with a read/write interface 16 to receive        and store forensic images of media attached to the write        protected interface 14. This allows a copy of the storage device        being examined via the interface 14 to be made through the        interface 16.    -   A server 18. This comprises a computer with a suitable processor        configured for performing forensic analysis and/or data        recovery, and includes a network card and a suitable interface        for connecting to both the drive unit 12 and a PAD. Optionally,        a further connection can be provided to a device enabling remote        power control and management to the server and or drive unit.    -   Pod Access Device (PAD) 20. This gateway device comprises a        computer with a suitable configuration to act as both a Virtual        Private Network (VPN) client and server, and a router. The        gateway device 20 is arranged to create and to manage secure        private connections to and from the processor 18 over a network        (such as the Internet). Technologies other than a VPN could be        used to achieve the same or a similar result, which is to create        and manage secure private connections to and from the POD 10.        The PAD 20 operates as a gateway device for connecting to a        wider network such as the Internet and includes a further        network interface for connecting to the server and optionally a        further interface for connecting to the power management device.        In FIG. 1, the three dotted lines coming from the PAD 20        represent 3 logical connections that the PAD can make. In a        principal embodiment, these three logical connections would be        carried by a single physical connection to the external network.

It is conceivable that the above three components could be facilitatedby a single computer acting as the server and the PAD, with the driveunits attached.

One or more PODs 10 may be located at convenient locations where it isanticipated that forensic analysis or data recovery may be required.Each POD 10 is accessible, via its respective network connection,independently of each other. The network connection can be via theInternet or via a private network such as an Intranet.

The server component 18 in each POD 10 is configured with softwareappropriate to the task for which the POD 10 is to be used. These tasksmay be, but are not limited to, performing forensic examinations ofstorage media or the recovery of data from storage media in the event ofdata loss or the recovery of passwords or decryption of encrypted data.It may be possible to connect multiple storage devices requiringexamination to the drive unit 12 of each POD 10.

FIG. 2 illustrates a second component of the system, being a forensicincident management service which, for the purpose of this document, iscalled “FIMS”. This is hardware and software which together provide aninvestigation case management system, a POD access control system and acase reporting system. FIMS can be accessed from any computer connectedto any appropriate network, including the Internet, providing that theuser has an appropriate account supported by FIMS.

The hardware on which FIMS is run can be located anywhere provided ithas an appropriate network connection. A single FIMS installation cansupport one or more PODs 10. Specifically, FIMS contains details of thefollowing, FIMS Customers, Forensic Service Partners (FSPs), and thePODs 10 associated with the FIMS 22.

The management service FIMS 22 comprises the following principalcomponents, a FIMS management server 24, which is a computer with asuitable configuration for running the FIMS application, and a FIMSAccess Device (FAD) 26, which is a computer with a suitableconfiguration to act as a network router and Virtual Private Network(VPN) server. The FIMS server 24 can be any suitable computer with anappropriate operating system.

The FIMS application is database driven, which contains the followingentities, in order of level of control on the server:

A FIMS administrator—an account that allows creation and removal of FIMScustomer accounts and FIMS customer administrator accounts to a FIMSserver. This person can perform any and all functions below it. A FIMSserver can support one or more FIMS customers

A FIMS customer administrator—each FIMS customer must have a FIMScustomer administrator. This person has the ability to add, edit andremove records relating to the FIMS customer for which they are theadministrator. A FIMS customer administrator has overall control andauthority over all subordinate FIMS customer accounts.

One or more FIMS customer—a FIMS customer is an entity, typically anorganisation, with an account on a FIMS server which is created by theFIMS administrator. Details of the FIMS customer include but are notlimited to, organisation name, main office address, details of alllocations where the services may be required, details of all customercontacts etc.

One or more FIMS case managers—each FIMS customer can have one or morecase managers, who can add, edit and delete cases within their owncustomer accounts.

One or more FIMS first responders—each FIMS customer can have one ormore first responder who is the contact to whom instructions are sentrelating to each target computer or storage media that needs obtainingand placing in the POD. The first responder is the person who is taskedwith obtaining physical access to the storage media on which theservices are to be performed. The first responder physically obtains thestorage device to be examined from the target device and inserts thatstorage media in the write protected interface 14 of the POD 10.

One or more FIMS technical contacts—each FIMS customer can have one ormore technical contacts whose function is to provide onsite support forthe PODs in the event that they need servicing or any similar operation.

For each FIMS customer, the FIMS server 24 contains the followingdetails, details of PODs—the location and configuration details for eachPOD to which the FIMS customer is able to gain access, and details ofspecial requirements—including but not limited to details of specialistlanguage, response time, time zone or skills required.

In addition to the details relating to the FIMS customer and PODs, theFIMS server 24 also contains details of the organisation and people withthe specialist skills who can provide the services to the client. Forthe purpose of this application these entities are referred to as theForensic Service Partner or FSP. Details relating to the FSP include butare not limited to, the FSP organisation, the name and addressesrelating to the FSP organisation, and the FSP administrator, the nameand contact details for the person responsible for adding, changing anddeleting FSP contact details and subordinate FSP accounts.

The management service 22 also includes the FIMS access device (FAD) 26,which is a device running a VPN server that enables secure VPNconnectivity between FIMS 22 and a POD 10, allows the POD 10 to securelyupdate FIMS with information about the status of the POD and itsactivities and allows FIMS to query the status of the POD as required.

The system may also include a Network Authentication Service (NAS) usedfor Software licence management. It is recognised that to provide theservices (at the POD 10) may require the use of specialist softwarewhich, in turn, requires access to a licence that is authenticated by anelectronic device known as a dongle. Such a dongle can either beconnected directly to the POD server 18 or accessed via a connection toa remote device to which the dongle is attached. Optionally, the systemcan include a secure connection to a device providing software licenceauthentication or access control for the specialist software installedon the POD server 18.

An example of such a device is the Network Authentication Service (NAS)used by one vendor of forensic software in which an electronic dongle isinstalled in a computer referred to as the NAS and has associated withit one or more licences for the specific software. Multiple copies ofthe software may be installed on multiple other computers located atremote locations but each installation must obtain a valid licence bycontacting the NAS and being allocated a licence before it can be used.

In summary, the system provides a secure method for entering detailsabout a requirement for services to be performed on items of storagemedia into a database and software application (FIMS), which in turnidentifies an appropriate person or organisation (FSP) to carry out theservices together with an appropriate device (POD) into which thestorage media can be installed to allow the services to be performed bysending instructions to the POD via a secure network connection createdspecifically to allow access to the specific POD by the specific FSP.

Additionally, the system provides a method by which instructionsrelating to physically obtaining the storage media from its originallocation and making it available for remote access in a POD are createdby FIMS using templates and made available to the FSP for transmissionto the person acting as the first responder at the location where thestorage media is located.

The system further provides a method by which the POD connects to FIMSby way of a specifically created VPN in order to update FIMS with thePOD status. The system further provides a method by which reports can beproduced from FIMS to provide a step by step chronology of eventsinvolved in the provision of the services and detailing the actionstaken my the parties involved.

FIG. 3 provides an example embodiment of a schematic view of network andtechnical architecture of the system. The POD 10 is located remotelyfrom the FIMS management server 24 and the access device (FAD) 26. Aremote device 32 allows the FSP, who will transmit instructions from aprocessor of the device 32, to control the execution of one or moreservices of the workstation 10 on the storage device 38 (from the targetdevice 36) that the POD 10 has received. The network 34 is used tointerconnect various components of the system. Included in theembodiment of FIG. 3 are the authentication server 28 and a case manager30.

The case manager 30 (CM) or any other permitted user can connect to theFIMS server 24 using any convenient secure network connection such asHTTPS over a TCP/IP network. Each FIMS server 24 is made available inmuch the same way as a webserver would be available on the Internet. Themanagement service FIMS requires a correct user name and password beforeaccess is permitted to the FIMS server 24.

The remote user 32 such as a forensic service partner (FSP) can alsoconnect to the FIMS server 24 using any convenient secure networkconnection such as HTTPS over a TCP/IP network. FIMS again requires acorrect user name and password before access is permitted by the remoteuser 32 to the FIMS server 24.

When a connection is required to be made between the remote user 32 andthe POD 10, the FIMS server 24 creates two unique files, firstly a “podaccess configuration file” (PACF) containing the specific address andother connection details required to create a VPN connection between theremote user 32 and the specific POD Access Device (PAD) 20, and secondlya unique digital certificate (DC) used to authenticate the remote user32 over the VPN onto the specific POD 10.

The management service FIMS transmits the above two files together withany other files required by the remote user 32 to create the VPNconnection to the remote user 32 via any convenient network such asTCP/IP. The files transmitted can optionally be encrypted and orcompressed into a single file to improve transmission speed and orsecurity. The management server 24 facilitates a connection between thenetwork interface of the remote device 32 and the gateway device 20 (thePAD) of the workstation 10.

For added security, prior to the remote user 32 attempting to establishconnection with a POD 10, the POD server 18 and/or the drive unit 12 maybe in a standby mode or powered off. The Pod Access Device (PAD) 20 mustalways be in a powered on state and able to accept connections viaTCP/IP. In such circumstances, the POD server 18 or some other devicecontrolling it must be equipped with capabilities which allow a deviceto be powered on using command signals transmitted via a TCP/IP network.

In such circumstances, the action of a remote user 32 to establish,using an appropriate digital certificate, a remote connection with a PAD20 connected to the POD server 18 will result in the PAD 20 transmittingcommand signals to the controlling interface and initiating the server18 and/or the drive unit 12 to be powered on. A remote user 32 can onlyconnect to a POD 10 once the remote user 32 is in possession of theappropriate digital certificate and POD access configuration file. Anyattempt to connect to the network connections of the PAD 20 without theDC will result in a failure to connect to the POD server 18.

The FIMS server 24 or another trusted computer can be configured as thecertificating authority (CA) associated with the production of thedigital certificates used to authenticate access to the VPN. The CAgenerates a unique server DC for each PAD, which is sent to andinstalled on each PAD by FIMS. The CA later issues a client DC for aspecified PAD using the CA credentials for that PAD. At any time, a userwith appropriate credentials on the FIMS can request that any issuedcertificates are revoked. This action has the effect of preventing therevoked certificate from being able to authenticate a connection to aPOD 10.

In summary, the method of operating the system for providing remoteaccess to the target device comprising receiving the storage device tobe examined at the write protected device interface 14 of theworkstation (the POD 10), establishing a secure and private connectionover a network between the remote device 32 and the workstation 10,transmitting instructions from the remote device 32 to the workstation10 (to control the execution of one or more services of the workstation10 on the storage device), and executing one or more services on thestorage device at the POD according to the transmitted instructions.

FIG. 4 shows the sequence of events, when operating the system, in moredetail. For the purpose of this process flow description, it is assumedthat all relevant details have previously been entered into FIMSmanagement service. To preserve possible evidential continuity and toenable future reporting of the events in a manner that would beacceptable to forensic principles, FIMS records all actions and data ina database or other structure together with a suitable hash value forthe records created and the data entered. The implementation of thishash methodology permits future checking of the data for signs ofalteration.

Each step in FIG. 4 is numbered and the following is a description ofeach numbered step, in turn.

1. Using any convenient network connection, the case manager (CM)accesses the FIMS server 24 and logs onto the management service FIMSusing a previously configured access account. Using the standard menusand functions of FIMS, the CM creates a new case.

2. Within the new case, the CM enters details of the services requiredand the location of the target computer and/or storage media requiringthe services. Using the details are already stored in its database, FIMSidentifies and presents to the case manager, details of the firstresponders nearest to the location of the storage media, details of thenearest PODs based on geography, time zone or other preference, anddetails of FSPs, based on preferences such as preferred supplier,geographic location, skill set, time zone or other criteria.

The CM reviews the options presented by FIMS and has the option ofaccepting them or modifying them to meet other requirements. Whensatisfied with the selected options, the CM accepts the data. FIMSrecords these options in its database.

3. FIMS then contacts the nominated FSP using any suitable communicationmethod such as email, sms or voicemail and delivers the details of thecase as provided by the CM together with a link which, if followed in aweb browser, will present the FSP with access to the FIMS records forthe case. If the FSP elects to use the link provided by FIMS, they willbe prompted to log onto the FIMS server 24 using a previously createdFSP account.

4. When the details of a case are entered by the CM, FIMS uses thesedetails to create appropriate Case Paperwork (CP) and instructions thatare intended to be provided to the first responder, who will beresponsible for obtaining physical access to the storage media on whichthe services are to be applied. These instructions may be based ontemplates previously configured and stored in FIMS or may be standardinstructions that cover basic steps and are not modified dynamically toreflect the actual case details. The instructions are stored in a mannerwhich is associated with the specific case and FIMS provides a methodwhereby an authorised user can initiate the transmission of theinstructions to the first responder.

5. Following receipt of the notification of a case by the FSP, the FSPcan either use the link in the notice or can independently log into FIMSusing a pre configured log in account and gain access to the casedetails. The FSP reviews the case details and, if required, uses thecontact information associated with the case to contact the CM anddiscuss the details. Assuming the FSP wishes to conduct the work, theFSP logs into FIMS and is presented with a method for accepting thework.

6. Following the FSP taking the above action to accept the case, FIMSmay notify the CM that the FSP has accepted. Alternatively, the CM canlog into FIMS and review the case to determine if the FSP has accepted.The CM completes the case acceptance process by using a method presentedby FIMS to authorise the FSP to conduct the work.

7. Following the CM completing the FSP authorisation step, FIMSgenerates a unique digital certificate using the credentials of theCertificating Authority (CA) which will only authenticate the user ofthe certificate to gain access to a specific POD. Additionally, FIMSgenerates a unique POD access configuration file (PACF) which containsdetails such as an IP address and a port number that are required by theVPN software to create a VPN to the specified POD access device (PAD)connected to the POD.

Following the creation of the above files, FIMS transmits the files,together with any other files or software required by the FSP to thenominated FSP (at the remote device 32) using any convenientcommunications method such as HTTPS download, email or file transferprotocol (FTP).

8. Using the information provided by the CM and made available by FIMS,the FSP can make contact with the First Responder using any convenientmeans such as phone or email. The FSP can discuss the case and, ifrequired, can transmit the case paperwork (CP) to the first responderusing links or facilities provided by FIMS or by more directcommunication is methods.

It is expected that some time will elapse between step 8 and step 9during which the first responder will use the details and instructionsprovided in the Case Paperwork or otherwise to gain physical access tothe required storage media. The first responder will then notify the FSPusing any convenient means that the storage media is available at thephysical location of the POD. The first responder will then followinstructions provided in the case papers or by the FSP and will make themedia available to an appropriate interface attached to the POD. In thecase of a hard disk, the first responder may place the disk into aremovable hard disk caddy and then place this caddy into the writeprotected bay of the drive unit which is attached to the POD.

In the case of a CD or DVD, the first responder may place the media intoa CD or DVD reader installed in the POD server. Other devices may beplaced into or connected to write protected interfaces configured in thedrive unit of the POD Server.

If required, the first responder may be requested to place a clean harddisk into a removable drive caddy and subsequently to place this intothe Read Write drive bay 16 of the drive unit 12 of the POD 10. Thisclean hard disk can be used to receive data copied from the media onwhich the services are being performed. If the services being performedinclude a forensic examination, this clean hard disk can be used toreceive a forensic image of the media, a fundamental step in mostforensic examinations, thus avoiding the need to transfer the data fromthe storage media across a network in order to obtain a forensic image.

9. When convenient, the FSP can initiate a connection to the PADconnected to the POD over any convenient network such as one usingTCP/IP including the Internet or Intranet. Providing that the FSP is inpossession of the appropriate Digital Certificate and POD accessconfiguration file, the VPN server software running on the PAD willcreate a secure VPN connection across the TCP/IP network providing asecure connection to the POD.

10. In circumstances where the POD server is connected to IP controlledpower management facilities, the PAD may automatically (or on theinstruction of the FSP) transmit control messages to the POD serverand/or the drive unit initiating them to be powered on.

11. In circumstances where the software installed on the POD server 18requires software licence authentication provided by a physical dongleand that dongle is not present in the physical POD server 18, the PAD 20or Pod Server 18 may connect to a device containing the softwareauthentication device. Such a scenario is encountered where the softwareused supports access to a Network Authentication Service (NAS 28). Inthis situation, a VPN (with appropriate credentials) or other suitableconnection to the NAS 28 is used to permit the POD server 18 toauthenticate its software against a dongle or other licence managementor authentication system installed in the NAS 28.

12. It is envisaged that there is a requirement to allow the POD 10 tocreate and update records stored in FIMS and for FIMS to control certainaspects of the POD activity. To facilitate this, a further VPN or othersuitable connection is used between the POD 10 and a device running aVPN server which in turn is connected to FIMS using a private networkconnection (see also step 14). This permits a POD to transmit data toFIMS in a secure manner over any convenient network thereforemaintaining the overall security of the environment.

13. Subsequent to the above steps being completed, the remote user 32 isable to issue commands from the computer connected to the POD 10 via thesecure VPN to initiate a Terminal Services (TS) session using anysuitable terminal services software. Using such a session it is possiblefor the remote user 32 to perform most, if not all, of the services thatmay be required using the system, without needing the transfer largevolumes of the data being processed over the network to the computer 32being used by the remote user. Examples of such tasks would be:

a. Creating a forensic image of media attached to the write protectedinterface 14 onto a clean disk attached to the read/write interface 16of the POD 10. In such circumstances, it is possible for the remote user32 to initiate the forensic imaging process between the two devicesinstalled in the remote POD 10 and then, once started, the remote user32 can disconnect from the POD 10 and the VPN without affecting theoperation running on the POD 10. Then, at some future time, the remoteuser 32 can re-connect to the POD 10 and continue to work on the remoteforensic image.

b. Connect to the POD 10 from any convenient network connection,including those not associated with or authorised to connect to thenetwork on which the target computer that would normally contain themedia to be examined is connected, and perform the services on mediaattached to either the read/write or the write protected interfaces 16and 14 of the POD 10. Such network connections include wirelessconnections found in airports or hotels.

c. Perform any of the required services from a remote location over anynetwork without requiring the software needed to perform the services tobe installed on the remote user's computer.

d. Perform any of the required services without having to installanything on the target computer in which the storage media was stored.

14. From time to time FIMS may interrogate the status of the POD 10using the VPN connection established between the POD 10 and the FIMSaccess device (FAD 26) which is a computer running a VPN server (seealso step 12).

15. Upon completion of the provision of the services, the FSP may usethe standard operating system commands available on the server to shutthe server down. The FSP can then disconnect from the PAD 10.

16. At any time in the process so far described, the FSP may log intoFIMS and record any desired notes in the case record. Such notes arestored together with a hash value to ensure data integrity. Followingcompletion of the services, the FSP can use standard functions availablein FIMS to set the status of the case or investigation as beingcompleted.

17. At any time in the process so far described, the CM may log intoFIMS and record any desired notes in the case record. The CM can alsoread any notes entered by the FSP associated with the case. All suchnotes are stored together with a hash value to ensure data integrity.

Following the case record being marked as completed by the FSP, the CMcan use standard functions available in FIMS to confirm the status ofthe case or investigation and mark it as being CLOSED.

18. At any time subsequent to the events listed above, FIMS can be usedto generate reports which include, but are not limited to:

a. Reports of all activities relating to a case or an investigation thatwas stored in FIMS. In such cases, the report may contain details of thehash values associated with every entry in FIMS.

b. Reports relating to POD usage statistics.

c. Reports relating to FSP usage statistics.

d. Reports relating to Client usage statistics.

1. A system for providing remote access to a storage device comprising:a network, a workstation comprising: a write protected device interfacefor receiving the storage device, a processor connected to the deviceinterface and arranged to execute one or more services on the storagedevice, and a gateway device connected to the processor and arranged tocreate and to manage secure private connections to and from theprocessor over the network, and a remote device comprising: a networkinterface for connecting to the network, and a processor connected tothe network interface and arranged to transmit instructions to controlthe execution of one or more services of the workstation on the storagedevice.
 2. A system according to claim 1 further comprising: amanagement server comprising a network interface for connecting to thenetwork, and a processor connected to the network interface and arrangedto transmit to the remote device access information to facilitate anetwork connection between the network interface of the remote deviceand the gateway device of the workstation.
 3. A system according toclaim 2, further comprising: an access device, the access deviceconnected to the management server and to the workstation, and arrangedto transmit queries from the management server to the workstation.
 4. Asystem according to claim 3, wherein the access device is arranged tomaintain a secure connection between the management server and theworkstation.
 5. A system according to claim 2, further comprising: acase management device, the case management device connected to themanagement server and arranged to transmit to the management server amessage initiating access to the gateway device of the workstation.
 6. Asystem according to claim 1, further comprising: an authenticationserver, the authentication server connected to the workstation, andarranged to authenticate software executed by the processor of theworkstation.
 7. A method of operating a system for providing remoteaccess to a storage device comprising: receiving the storage device at awrite protected device interface of a workstation, establishing a secureand private connection, over a network, between a network interface of aremote device and a gateway device of the workstation, transmittinginstructions from the remote device to the workstation to control theexecution of one or more services of the workstation on the storagedevice, and executing one or more services on the storage device at theworkstation according to the transmitted instructions.
 8. A methodaccording to claim 7 further comprising: operating a management servicefor providing case management and access control.
 9. A method accordingto claim 8 further comprising: receiving an instruction at themanagement service initiating a case.
 10. A method according to claim 9further comprising: transmitting, from the management service to theremote device, details of the initiated case.
 11. A method according toclaim 8 further comprising: transmitting queries from the managementservice to the workstation.
 12. A method according to claim 8 furthercomprising: transmitting updates from the workstation to the managementservice.
 13. An apparatus comprising: a write protected device interfacefor receiving a storage device, a processor connected to the deviceinterface and arranged to execute one or more services on the storagedevice, and a gateway device connected to the processor and arranged tocreate and to manage secure private connections to and from theprocessor over a network.
 14. The apparatus according to claim 13further comprising a read/write device interface for receiving a storagedevice.
 15. The apparatus according to claim 13, wherein the gatewaydevice is arranged to maintain a secure connection between theworkstation and a remote device.
 16. The apparatus according to claim15, wherein the gateway device is arranged to receive instructions fromthe remote device to control the execution of one or more services ofthe workstation on the storage device.
 17. The apparatus according toclaim 15, wherein the gateway device is arranged to maintain a secureconnection between the workstation and a management server.
 18. Theapparatus according to claim 15, wherein the gateway device is arrangedto maintain a secure connection between the workstation and anauthentication server.